problema com iptables [RESOLVIDO]

1. problema com iptables [RESOLVIDO]

cassianoh
(usa Outra)

Enviado em 08/11/2014 - 12:24h

Bom dia amigos. Sou novo na comunidade, espero estar postando no local certo essa dúvida.
Preciso simular um ambiente para um projeto da faculdade. Posteriormente essas configurações serão usadas em um ambiente real. O ambiente é o seguinte:
no meu notebook, tenho uma MV instalada com WIn7 professional, que é meu cliente. A placa de rede esta configurada como rede interna, forçando a navegação pela outra MV CentOS 6, que tem 2 placas de rede, a interna e outra por onde recebe o sinal da internet.
Ja fiz algumas configurações e atualmente estou tentando configurar SQUID com IPTAblEs.
A situação é a seguinte: no clinente win7 configurei o proxy manual, para ter certeza que esta passando pelo meu proxy. Com o squid e iptables rodando o cliente pinga para o servidor, para ip externo e para nomes, mas nao navega via browser.
limpando as regras do iptables, o cliente consegue navegar.

vou postar aqui o config do iptables, não consigo encontrar o erro.

#!/bin/bash
#Descricao:Implantar regras iptables de segurança de trafego na rede
clear
echo -en "\nFirewall: Ligando o roteamento..."
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -en "ok!"

echo -en "\nFirewall: Limpando regras..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
echo -en "ok!"

echo -en "\nFirewall: Criando regras..."
iptables -N PERMITIDO
iptables -A PERMITIDO -p tcp --syn -m state --state NEW -j ACCEPT
iptables -A PERMITIDO -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A PERMITIDO -p tcp --tcp-flags SYN, ACK,FIN,RST -m limit --limit 1/s -j ACCEPT
#iptables -A PERMITIDO -p tcp -j DROP
echo -en "ok!"

echo -en "\nFirewall: Inicializando regras..."
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo -en "ok!"

echo -en "\nFirewall: Liberando acesso local..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
echo -en "ok!"

echo -en "\nFirewall: liberando porta do ssh..."
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
echo -en "ok!"

echo -en "\nFirewall: Liberando ping..."
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
echo -en "ok!"

echo -en "\nFirewall: liberando porta DNS..."
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
echo -en "ok!"

echo -en "\nFirewall: liberando porta http..."
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
echo -en "ok!"

echo -en "\nFirewall: Fazendo mascaramento (NAT)..."
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
echo -en "ok!"

echo -en "\nLiberando Squid..."
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --sport 3128 -j ACCEPT
iptables -A INPUT -p udp --dport 3128 -j ACCEPT
iptables -A INPUT -p udp --sport 3128 -j ACCEPT
echo -en "ok!"

e as configuraçoes do squid

http_port 3128
visible_hostname uceff
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.4.0/24
http_access allow localhost
http_access allow redelocal
http_access deny all

agradeço se alguém puder me dar uma luz ai.

0 0

Quote

2. Re: problema com iptables [RESOLVIDO]

JJSantos
(usa Gentoo)

Enviado em 08/11/2014 - 19:40h

Fiz umas alterações testa ai.



#! /bin/bash

#Configuracao Firewall atraves do iptables

###########################

#######TITULO ABRE####### #

echo "Iniciando FIREWALL"

###########################

 

##################################################################

#Os diversos modulos do iptables sao chamados atraves do modprobe#

##################################################################

 

modprobe ip_tables

modprobe iptable_nat

modprobe ip_conntrack

modprobe ip_conntrack_ftp

modprobe ip_nat_ftp

modprobe ipt_LOG

modprobe ipt_REJECT

modprobe ipt_MASQUERADE

modprobe ipt_state

modprobe ipt_multiport

modprobe iptable_mangle

modprobe ipt_tos

modprobe ipt_limit

modprobe ipt_mark

modprobe ipt_MARK



####################

#Interfaces de Rede#

####################



LAN=eth0



######################

#Zera todas as Regras#

######################



iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X



###################

#COMPARTILHAMENTO##

###################



echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE



#################################

##Politicas local ACCEPT######

#################################



iptables -N PERMITIDO

iptables -A PERMITIDO -p tcp --syn -m state --state NEW -j ACCEPT

iptables -A PERMITIDO -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A PERMITIDO -p tcp --tcp-flags SYN, ACK,FIN,RST -m limit --limit 1/s -j ACCEPT

iptables -A PERMITIDO -p tcp -j ACCEPT



iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP



iptables -A INPUT -i lo -j ACCEPT

iptables -A FORWARD -i lo -j ACCEPT



###########################

#Libera o acesso via SSH###

###########################



iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --sport 22 -j ACCEPT



###########################

######Libera o ICMP########

###########################



iptables -A INPUT -p icmp -j ACCEPT

iptables -A FORWARD -p icmp -j ACCEPT



###########################

######Libera o DNS########

###########################



iptables -A FORWARD -p udp --dport 53 -j ACCEPT

iptables -A FORWARD -p udp --sport 53 -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p udp --sport 53 -j ACCEPT



###########################

######Libera o HTTP########

###########################



iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --sport 80 -j ACCEPT

iptables -A FORWARD -p tcp --dport 80 -j ACCEPT

iptables -A FORWARD -p tcp --sport 80 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT



#############################################

###Redireciona o trafego para o Squid########

#############################################



iptables -A INPUT -p tcp --dport 3128 -j ACCEPT

iptables -A INPUT -p tcp --sport 3128 -j ACCEPT

iptables -A INPUT -p udp --dport 3128 -j ACCEPT

iptables -A INPUT -p udp --sport 3128 -j ACCEPT



################

##TITULO FECHA##

################

 

echo "Configuracao Firewall Concluida."



http_port 3128

visible_hostname uceff

#acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 901 # swat

acl Safe_ports port 1025-65535 # portas altas

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl redelocal src 192.168.4.0/24

http_access allow localhost

http_access allow redelocal

http_access deny all

0 0

Quote

3. Re: problema com iptables [RESOLVIDO]

cassianoh
(usa Outra)

Enviado em 09/11/2014 - 20:21h

continua com o mesmo problema, a maquina cliente nao navega setando o proxy. Se tirar navega.

0 0

Quote

4. Re: problema com iptables [RESOLVIDO]

atem
(usa CentOS)

Enviado em 12/11/2014 - 08:17h

Você comentou que se tirar as regras do IPtables ele navega, abaixo disse se tirar o proxy navega...

Pode explicar?

Exemplo: Se você limpa as regras do firewall e deixa o squid configurado no navegador ele navega normalmente?

Exemplo 2: Com o browser sem configuração e o iptables com as configurações navega?

Exemplo 3: Com o browser configurado e IPtables com as regras não navega? É isso?

0 0

Quote

5. Re: problema com iptables [RESOLVIDO]

JJSantos
(usa Gentoo)

Enviado em 12/11/2014 - 23:14h

cassianoh escreveu:

continua com o mesmo problema, a maquina cliente nao navega setando o proxy. Se tirar navega.

Cara o firewall está correto!
Já verificou os logs do proxy???

0 0

Quote

6. Re: problema com iptables [RESOLVIDO]

cassianoh
(usa Outra)

Enviado em 13/11/2014 - 17:15h

amigos, agradeço muito os interessados em ajudar, mas após realizar varios testes com a ajuda de um professor, adicionamos as seguintes linhas:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT

após adicionar isso funcionou tudo corretamente.

obrigado

0 0

Quote